Bugtraq mailing list archives

Re: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability"

From: Tim Newsham <newsham () lava net>
Date: Wed, 6 Feb 2008 07:48:10 -1000 (HST)

Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
OpenBSD kernel network stack. The analysis carries out quite
similarly to show that OpenBSD's IP ID is predictable as well,
which gives way to O/S fingerprinting, idle-scanning, host alias
detection, traffic analysis, and in some cases, even to TCP blind
data injection.


Can you expound upon the blind TCP injection allowed by IP ID
prediction?

Amit Klein
CTO Trusteer


Tim Newsham
http://www.thenewsh.com/~newsham/

Current thread:

A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" Amit Klein (Feb 06)
- Re: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" Tim Newsham (Feb 06)
- <Possible follow-ups>
- RE: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" Amit Klein (Feb 06)